Noodle RAT: Reviewing the Backdoor Used by Chinese-Speaking Groups
Backdoor Commands
During our analysis, we discovered that there are different types of Win.NOODLERAT that implement various command IDs. Based on one of the command IDs received upon successful authentication by the C&C server, we categorized them into two clusters: Type 0x03A2 and Type 0x132A. The backdoor capability is implemented using a combination of major-ID and optional sub-ID. Table 1 lists the backdoor commands:
Actions |
Type 0x03A2 |
Type 0x132A |
||
Major-ID |
Sub-ID |
Major-ID |
Sub-ID |
|
Successfully authorized |
0x03A2 |
– |
0x132A |
– |
Message of the end of command |
0x0AC3 |
– |
0x1AC3 |
– |
Initialize module metadata |
0x194C |
– |
0x294C |
– |
Receive module data |
0x1AF2 |
– |
0x2AC8 |
– |
Launch module without pipe |
0x1397 |
– |
0x230E |
– |
Delete module metadata |
0x1D50 |
– |
0x2D06 |
– |
Upload a file to C&C server |
0x390A |
0x35C3 & 0x35C4 & 0x3013 |
0x590A |
0x55C3 & 0x55C4 & 0x5013 |
List directories recursively |
0x390A |
0x35C5 |
0x590A |
0x55C5 |
Download a file from C&C server |
0x390A |
0x35C7 & 0x35C8 & 0x35C9 & 0x3013 |
0x590A |
0x55C7 & 0x55C8 & 0x55C9 & 0x5013 |
Write given data to pipe |
0x2099 |
0x2186 |
0x3099 |
0x3167 |
Write 0x32E0 to pipe |
0x2099 |
0x220E |
0x3099 |
0x32E0 |
Write 0x38AF to pipe |
0x2099 |
0x28FA |
0x3099 |
0x38AF |
Send module data to another module |
0x2099 |
0x2741 |
0x3099 |
0x3716 |
Same as 0x3099 |
0x2099 |
0x2A0B |
0x3099 |
0x3A0B |
Start TCP server to proxy packets to the C&C server |
0x2099 |
0x2CBD |
0x3099 |
0x3CD0 |
Delete itself |
N/A |
0x1C1C |
– |
Table 1. Backdoor commands of Win.NOODLERAT
The first one, Type 0x03A2, implements most commands except the last one, deleting itself. This type of Win.NOODLERAT was used by Iron Tiger and other unknown clusters for espionage purposes, suggesting that this version could be a shared version.
The second one, Type 0x132A, implements full features. This type of Win.NOODLERAT was used only by Calypso APT. Therefore, this is likely an exclusive version.
Interestingly, upon comparing the command IDs, we found that some have similar parts. For instance, the command IDs to upload a file to the C&C server are 0x390A and 0x590A respectively; this similarity might be an indicator of versioning, but there is not enough evidence to conclude such.
Linux.NOODLERAT
Linux.NOODLERAT is an ELF version of Noodle RAT, but with a different design. This backdoor has been used by several groups with various motivations, such as Rocke (Iron Cybercrime Group) for financial gains
Cloud Snooper Campaign for espionage, and an unknown cluster also for spying purposes. Since it’s designed differently, its backdoor capabilities are also slightly different:
- Reverse shell
- Download & Upload files
- Scheduling execution
- SOCKS tunneling
Initialization
In most cases, Linux.NOODLERAT was deployed as an additional payload of an exploit against public-facing applications. After deployment, the backdoor copies itself to /tmp/CCCCCCCC and performs process name spoofing by overwriting “argv.” Then, it decrypts the embedded config by RC4 with the hardcoded key, “r0st@#$.” The decrypted config is formatted as shown in the diagram below; Linux.NOODLERAT will connect to the defined C&C server based on the config.
Read More HERE